DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell - - PowerPoint PPT Presentation
DRM obfuscation vs auxiliary attacks Show me your trace and Ill tell you who you are REcon 2014 Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function whiteboxed : AES-CBC
Show me your trace and I’ll tell you who you are REcon 2014
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Camille Mougey @Quarkslab during the study @CEA-DAM now Like working on obfuscation, RE, networks, algorithms, Water-Pony, . . . Francis Gabriel @Quarkslab Enjoy RE, cryptography, DRM analysis, . . .
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Reverse engineering DRM discovery (R&D) Attack methodology
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Reverse engineering DRM discovery (R&D) Attack methodology Execution trace Context evolution collection during runtime Collected data management & analysis
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Reverse engineering DRM discovery (R&D) Attack methodology Execution trace Context evolution collection during runtime Collected data management & analysis Code obfuscation What we (try to) fight Auxiliary attacks (based on execution trace)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on obfuscation
Purposes Code protection (whole or part) Make the analysis harder and longer Raise RE costs
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on obfuscation
Purposes Code protection (whole or part) Make the analysis harder and longer Raise RE costs Some bad guys Code flattening Data flow protection Junk code . . .
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on obfuscation
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco DRM discovery
Network communication Packets content lookup High entropy data ⇒ Maybe some compression or crypto here :)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco DRM discovery
Network communication Packets content lookup High entropy data ⇒ Maybe some compression or crypto here :) Application’s binary analysis (static and dynamic) CFG is flattened Instructions in all basic blocks seem obfuscated
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening Reminder Methods
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Reminder
1
First layer: Code flattening Reminder Methods
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Reminder
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Reminder
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Reminder
How to deal with this kind of protection?
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
1
First layer: Code flattening Reminder Methods
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
Study the protection itself Symbolic/Concolic execution of target code Advantage: we can reuse know-how on other similar targets If protection is too complex: Lot of resources needed Combinatory explosion Work in progress. . .
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
Study the protection itself Symbolic/Concolic execution of target code Advantage: we can reuse know-how on other similar targets If protection is too complex: Lot of resources needed Combinatory explosion Work in progress. . . Study only one execution Produce an execution trace No more CFG but. . . We obtain just one path to analyze Advantage: code understanding is easier
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
Execution trace approach
1
Context evolution recording
registers state executed instructions memory accesses
2
We needed a tool to manage execution trace
3
We needed modules to extract information
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
Execution trace approach
1
Context evolution recording
registers state executed instructions memory accesses
2
We needed a tool to manage execution trace
3
We needed modules to extract information Concepts to deal with Instrumentation: Execution’s data collection Database: Efficient trace storage Processsing: Relevant information access
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Methods
Execution trace approach
1
Context evolution recording
registers state executed instructions memory accesses
2
We needed a tool to manage execution trace
3
We needed modules to extract information Concepts to deal with Instrumentation: Execution’s data collection Database: Efficient trace storage Processsing: Relevant information access That’s why we made pTra
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening
2
pTra What is this ? A few words on implementation Miasm in 2 slides
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco What is this ?
1
First layer: Code flattening
2
pTra What is this ? A few words on implementation Miasm in 2 slides
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco What is this ?
Python TRace Analyser Execution trace management framework Purpose: provide an API for manipulating the trace Fully modular, scalable Constraints Architecture independant (re-usability) Acceptable response time (usability)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco What is this ?
Python TRace Analyser Execution trace management framework Purpose: provide an API for manipulating the trace Fully modular, scalable Constraints Architecture independant (re-usability) Acceptable response time (usability) ⇒ Generally speaking, be able to quickly implement an idea
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
1
First layer: Code flattening
2
pTra What is this ? A few words on implementation Miasm in 2 slides
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
Database MongoDB
Scalable Non relational, a good way to prototype
A database per trace
Avoid inter-trace lock Allow hypothesis on entries
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
Database MongoDB
Scalable Non relational, a good way to prototype
A database per trace
Avoid inter-trace lock Allow hypothesis on entries
Getting an execution trace Intel PIN Miasm sandbox IDA, ollydbg, . . .
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
Database MongoDB
Scalable Non relational, a good way to prototype
A database per trace
Avoid inter-trace lock Allow hypothesis on entries
Getting an execution trace Intel PIN Miasm sandbox IDA, ollydbg, . . . Disassembly engine DiStorm Then Miasm, to be architecture independant . . . and have an IR
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco A few words on implementation
Detailed information available in [SSTIC 2014 - Actes]
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
1
First layer: Code flattening
2
pTra What is this ? A few words on implementation Miasm in 2 slides
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
Context Developed by F. Desclaux Miasm v2 released in June 2014 Available on http://code.google.com/p/miasm
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
Context Developed by F. Desclaux Miasm v2 released in June 2014 Available on http://code.google.com/p/miasm Lego bricks
1
Python
2
Assembly / Disassembly engine“easy-to-write”
3
Intermediate representation RE oriented (8 words)
4
JIT engine (TinyCC, LLVM, Python based)
5
Regression tests :)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
Features Supported architectures
x86 {16, 32, 64} bits ARMv7 / Thumb MSP430 SH4 MIPS32
Customizable simplification engine PE / ELF / shellcode sandboxing Common MSDN APIs simulation (or how to rewrite Windows architecture independant) ELF / PE binary manipulation thanks to Elfesteem Links with STP solver, debuggers, IDA viewer
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
Demo: Shellcode sandboxing (Try & die approach)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Miasm in 2 slides
Demo: ARMv7 execution trace - MD5
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
What we want to know Fully understand an algorithm What’s inside (encryption, derivations, . . . ) ⇒ pTra database contains all we need
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
What we want to know Fully understand an algorithm What’s inside (encryption, derivations, . . . ) ⇒ pTra database contains all we need How to proceed
1
Identify all parts (functions, crypto)
2
Find inputs and outputs of each part
3
Understand links between them
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection
What we know A cryptographic algorithm can be composed of some“magic” constants Hash functions are a good example If an algorithm is present, we must find its constants
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection
What we know A cryptographic algorithm can be composed of some“magic” constants Hash functions are a good example If an algorithm is present, we must find its constants Where can we find them? Interesting places: Instructions (static analysis) Processor’s registers Memory accesses ⇒ pTra provides a direct access to these elements
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection
Method Add a module to pTra Full research in database for known constants Avoid false positives
Low probability We can group results to detect isolated constants
Simple, quick and efficient
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Constants detection
Method Add a module to pTra Full research in database for known constants Avoid false positives
Low probability We can group results to detect isolated constants
Simple, quick and efficient Results Mersenne Twister identification (0x6c078965) SHA-1 identification (0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476,
0xc3d2e1f0)
⇒ Adding SHA-1 primitives knowledge into our call graph (init, update,
final)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Purposes Unidentified functions:
Understanding I/Os can help us to identify them
Already identified functions:
Find where arguments come from Establish the link with other algorithms
⇒ We must find functions input and output
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Purposes Unidentified functions:
Understanding I/Os can help us to identify them
Already identified functions:
Find where arguments come from Establish the link with other algorithms
⇒ We must find functions input and output What we know By studying memory accesses of a function: If a data is processed, it will be read Results (outputs) will be written ⇒ pTra can help us to find them
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Methods To identify outputs:
Memory diff (state after) - (state before) We can remove data written and read before the end (temporary data)
To identify inputs:
Data read for the first time by the function
We can add several heuristics (pointers detection, blocks grouping, entropy computing, . . . )
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Facts Very efficient method to link algorithms parts between them We found another protection by looking for I/Os: transformed memory
Data in memory never appear in clear format No pattern identified in the code There is a derivation function per memory area
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Facts Very efficient method to link algorithms parts between them We found another protection by looking for I/Os: transformed memory
Data in memory never appear in clear format No pattern identified in the code There is a derivation function per memory area
Identified algorithms Identified SHA-1 inputs/output verified SHA-1 inputs : Certificates ⇒ Cert-chain validation RSA-SHA1 signature algorithm is used ⇒ We have to identify RSA function
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Main idea Destroy modular exponentiation effect of RSA Compare execution traces
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dataflow obfuscation
Main idea Destroy modular exponentiation effect of RSA Compare execution traces Steps
1
We know RSA algorithm is used (at least) in cert-chain validation
2
Patch all certificates pub exponents to 1
3
Patch all certificates pub modulus to max value (0xFF..FF)
4
Produce a new execution trace
5
Locate some functions differences (in number of instructions)
6
RSA located (±50 million instructions)
7
⇒ Add RSA knowledge to the call-graph
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP Introduction Constants detection Dataflow obfuscation Data slicing and functions rebuilding
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding
Definitions Data tainting: find all elements that depend on a given one Data slicing: find all elements influencing a given one Data tainting is forward, and slicing is backward
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding
Definitions Data tainting: find all elements that depend on a given one Data slicing: find all elements influencing a given one Data tainting is forward, and slicing is backward Data slicing implementation Using Miasm IR:
1
Symbolic execution of basic block containing target element
2
We get dependencies of its equation
3
Search for latest writes of each ones
4
And so on. For data tainting, we proceed almost the same way. We just target elements whose contain the target in their dependencies.
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding
Demo: pTra - Slicing as a commercial (with colors)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Data slicing and functions rebuilding
R2, R4, R5 : Random values
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC Some clues Dynamic AES-CBC WhiteBox identification Results
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC Some clues Dynamic AES-CBC WhiteBox identification Results
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address.
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address. Example Class: 01 02 03 04 01 02 03 04 01 02 03 04 05 Data: 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Equivalence class statement Data d1 and d2 are equivalent if and only if their first reads are done by the same instruction. Two instructions are said the same if and only if they share the same address. Example Class: 01 02 03 04 01 02 03 04 01 02 03 04 05 Data: 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E Grouping 63 66 F5 F3 76 DC B1 C1 F6 BC 4D 21 7E
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Applied to dataset
1 16 bytes +-------------------+ | Block 1 | +-------------------+ | Block 2 | +-------------------+ | | | Block 3: | | Group of 16 | | bytes block | | | +-------------------+
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Applied to dataset
1 16 bytes +-------------------+ | Block 1 | +-------------------+ | Block 2 | +-------------------+ | | | Block 3: | | Group of 16 | | bytes block | | | +-------------------+
Applied to output block (reversed way, last write)
1 2 16 bytes +--+ | | /* 2 bytes blocks */ +--+ +----------------+ __| | | | | Bytes group | | | | | | ________| | | +----------+ +--------+ /* Bytes | |
+--------+
read */
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
1 def make_C3(inp): 2 3 C3 = [inp] 4 for i in xrange (10): 5 tmp = [] 6 tmp.append(inp [0] ^ table1 [(0 x100*i)+inp [13]]) 7 tmp.append(inp [1] ^ table2[inp [14]]) 8 tmp.append(inp [2] ^ table2[inp [15]]) 9 tmp.append(inp [3] ^ table2[inp [12]]) 10 tmp.append(inp [4] ^ tmp [0]) 11 tmp.append(inp [5] ^ tmp [1]) 12 tmp.append(inp [6] ^ tmp [2]) 13 tmp.append(inp [7] ^ tmp [3]) 14 tmp.append(inp [8] ^ tmp [4]) 15 tmp.append(inp [9] ^ tmp [5]) 16 tmp.append(inp [10] ^ tmp [6]) 17 tmp.append(inp [11] ^ tmp [7]) 18 tmp.append(inp [12] ^ tmp [8]) 19 tmp.append(inp [13] ^ tmp [9]) 20 tmp.append(inp [14] ^ tmp [10]) 21 tmp.append(inp [15] ^ tmp [11]) 22 C3.append(tmp) 23 inp = tmp 24 25 return C3
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Some clues
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC Some clues Dynamic AES-CBC WhiteBox identification Results
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification
Identification Try to reproduce intputs/outputs ⇒ Results don’t match ⇒ Encryption steps are completely done on modified states, key in input list ⇒“ Dynamic ”whitebox
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Dynamic AES-CBC WhiteBox identification
Identification Try to reproduce intputs/outputs ⇒ Results don’t match ⇒ Encryption steps are completely done on modified states, key in input list ⇒“ Dynamic ”whitebox Interest in a DRM Wasting analysts time Hiding inputs and outputs Difficulty to reproduce the algorithm on another system (apart ripping it) Reverse algorithm is hard to find
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Results
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC Some clues Dynamic AES-CBC WhiteBox identification Results
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Results
Attack
1
Homomorphic algorithm (to XOR)
2
Mathematic properties needed
3
A limited set of candidates ⇒ Derivation functions computation We are finally able to read/alter values encrypted by the algorithm, which is a 128 bits AES-CBC.
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution Introduction Industrial version
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution Introduction Industrial version
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Trivial method For x ∈ [0, 232 − 1] : f (x) = (16 ∗ x + 16)mod232 could be rewritten as: f (x) = 129441535 − 1793574399 ∗ (1584987567 ∗ (3781768432 ∗ x + 2881946191) − 4282621936)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Trivial method For x ∈ [0, 232 − 1] : f (x) = (16 ∗ x + 16)mod232 could be rewritten as: f (x) = 129441535 − 1793574399 ∗ (1584987567 ∗ (3781768432 ∗ x + 2881946191) − 4282621936) Simplification Function simplified by modern compilation passes (particularly constant folding)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: (x + y) ≡ ((x ∧ y) + (x ∨ y)) (x + y) ≡ ((x ⊕ y) + 2 × (x ∧ y)) (x ⊕ y) − y ≡ (x ∧ ¬y) − (x ∧ y)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: (x + y) ≡ ((x ∧ y) + (x ∨ y)) (x + y) ≡ ((x ⊕ y) + 2 × (x ∧ y)) (x ⊕ y) − y ≡ (x ∧ ¬y) − (x ∧ y) Simplification Nothing from compiler passes Nothing more from MatLab, Maple, Mathematica or Z3
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
MBA : Mixed Boolean Arithmetic By mixing logical and arithmetical transformations: (x + y) ≡ ((x ∧ y) + (x ∨ y)) (x + y) ≡ ((x ⊕ y) + 2 × (x ∧ y)) (x ⊕ y) − y ≡ (x ∧ ¬y) − (x ∧ y) Simplification Nothing from compiler passes Nothing more from MatLab, Maple, Mathematica or Z3 Effective simplification Once equations are identified, capitalize them thanks to Miasm simplification engine By using the generation algorithm of these expressions
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Construction A matrix A in {x, y, x ⊕ y, . . . } base (expressions are represented by their truth table) An associated vector v composed of {1, -1} standing for operation between elements Equation is valid / generalizable to 2n iff a linear combination of A’s columns is equal to null element
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Construction A matrix A in {x, y, x ⊕ y, . . . } base (expressions are represented by their truth table) An associated vector v composed of {1, -1} standing for operation between elements Equation is valid / generalizable to 2n iff a linear combination of A’s columns is equal to null element Example x + y − (x ⊕ y)
v = (+1, +1, −1) (1) f1 = x = (0, 0, 1, 1) f2 = y = (0, 1, 0, 1) f3 = x ⊕ y = (0, 1, 1, 0) (2)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Example x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Example x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y A = 1 1 1 1 1 1 1 1 1 v = (+1, +1, -1, -1, +1)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Example x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y A = 1 1 1 1 1 1 1 1 1 v = (+1, +1, -1, -1, +1) Linear combination +2 +0 +1 +0
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Smallest addition to nullify A = 1 1 1 v = (-1, -1) Final equation x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y − ¬y − ¬(x ∨ y) = 0
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Introduction
Smallest addition to nullify A = 1 1 1 v = (-1, -1) Final equation x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y − ¬y − ¬(x ∨ y) = 0 x + ¬x − (x ∧ y) − (x ⊕ y) + ¬y = ¬y + ¬(x ∨ y)
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution Introduction Industrial version
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco Industrial version
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
1
First layer: Code flattening
2
pTra
3
Algorithm reconstruction : RSA-OAEP
4
Rebuilding a cipher function“whiteboxed” : AES-CBC
5
Ecofriendly step: Instruction substitution
6
Bonus
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Why O-LLVM? Open-source Recent project Implemented protections Instruction substitution Opaque predicates (Bogus control flow) Code flattening
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Approach interests Allowed us to analyse state of the art obfuscation mechanisms One more method in analyst’s toolbox Can be used in other cases such as malware analysis, vulnerability research, . . .
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Approach interests Allowed us to analyse state of the art obfuscation mechanisms One more method in analyst’s toolbox Can be used in other cases such as malware analysis, vulnerability research, . . . Obfuscation More and more used nowadays Public initiative O-LLVM, still too young Devices, even mobile ones, got enough resources to waste them
Introduction First layer: Code flattening pTra Algorithm reconstruction : RSA-OAEP Rebuilding a cipher function “whiteboxed” : AES-CBC Eco
Approach interests Allowed us to analyse state of the art obfuscation mechanisms One more method in analyst’s toolbox Can be used in other cases such as malware analysis, vulnerability research, . . . Obfuscation More and more used nowadays Public initiative O-LLVM, still too young Devices, even mobile ones, got enough resources to waste them Our approach isn’t better than others; it’s just another way to proceed :)
contact@quarkslab.com I @quarkslab.com